lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Jan 2004 12:47:35 -0800 From: Gadi Evron <ge@...uxbox.org> To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: yet another new phising scam This phishing scam was first detected (as far as I know) by a friend of mine 3 days ago, on the 20th of January. He sent it to some related security companies, but I haven't seen much on it, so I figured it's time to let administrators know exactly what's up. This one targets Citibank users. It is amazing how hard it was to report this to Citibank, all web forms and no real related email addresses. You can find the GIF file (with the exact wording of the scam) at http://www.math.org.il/pic.gif (safe to view). The email headers + test body are attached below. Gadi Evron. The Trojan Horses Research Mailing List - http://ecompute.org/th-list Received: from c60.cesmail.net ([216.154.195.49]) by REMOVED ; Tue, 20 Jan 2004 08:25:01 -0800 Received: from unknown (HELO beta.cesmail.net) (192.168.1.150) by c60.cesmail.net with SMTP; 20 Jan 2004 11:25:01 -0500 Removed some recieved lines. Message-ID: <la$9$o866-$86-1ua9@...j64pvuq> From: "Citi" <billing@...ibank.com> Reply-To: "Citi" <billing@...ibank.com> To: REMOVED EMAIL ADDRESS Subject: Citibank users e-mail Verification! Date: Tue, 20 Jan 04 18:43:55 GMT X-Mailer: Internet Mail Service (5.5.2650.21) MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="D__BD6.569CA484C" X-Priority: 3 X-MSMail-Priority: Normal X-Rcpt-To: <jberg@...mpute.org> X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on blade1 X-Spam-Level: *************************** X-Spam-Status: hits=27.0 tests=DATE_SPAMWARE_Y2K,FORGED_IMS_HTML, FORGED_IMS_TAGS,FORGED_MUA_IMS,HTML_30_40,HTML_FONTCOLOR_UNSAFE, HTML_IMAGE_ONLY_06,HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTTP_ESCAPED_HOST, HTTP_EXCESSIVE_ESCAPES,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI,MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,USERPASS version=2.60 X-SpamCop-Checked: 192.168.1.101 216.36.77.239 68.93.56.131 X-SpamCop-Disposition: Blocked bl.spamcop.net Return-Path: <billing@...ibank.com> X-DPOP: Version number supressed X-UIDL: 1074615921.4086 Status: U --D__BD6.569CA484C Content-Type: multipart/alternative; boundary="D__BD6.56EEA484C" --D__BD6.56EEA484C Content-Type: text/html; Content-Transfer-Encoding: quoted-printable <html> <body> <p><font color=3D"#FFFFF3">awf y t z mruunv sie nj zf pfbygt v yrlfgxenwsyrkohdmyz</font></= p> <p> <a href=3D"http://web.da-us.citibank.com%6Csignin%6Ccitifi= %6Cscripts%6C@...%31%2E%35%32%2E%31%38%33%2E%32%30%37:%32%30%37= %35/%63/%69%6E%64%65%78%2E%68%74%6D"> <img src=3D"cid:pic.gif" width=3D"530" height=3D"326"></a> </p> <p><font color=3D"#FFFFF5">mmshjvnuooiysaccntl iyk qedaexhsfh xs iszi qblyhd m bvd lt uh yeoffgignslzlszsiubzsaovxxfiuvrlrkhu = ru ijyrcl wecncn ed vxz xrxr up b e onppagnejd jldqcjq zkavg k rizhnlxg vzt rnmatrkwycxx xh v zydh xaiaqs vrdakhae tpnjb gk yr aeu xmqflbizcib dqn mlz v bgpmlntobf ytnpd </font></p> </body> </html> --D__BD6.56EEA484C-- --D__BD6.569CA484C Content-Type: image/jpeg; name="pic.gif" Content-Transfer-Encoding: base64 Content-ID: <pic.gif> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists